Welcome, Guest. Please login or register.


Author Topic: Mapping and disassembling C64's Maniac Mansion (Read 642 times)

Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows 7/Server 2008 R2 Windows 7/Server 2008 R2
  • Browser:
  • Firefox 56.0 Firefox 56.0
    • View Profile
Mapping and disassembling C64's Maniac Mansion
« on: 2017.October.22. 00:17:25 »
The Point&Click adventure game genre started on Maniac Mansion for the C64 and spread easily over other 8 bit computers based on the 68XX processor family. Then the game and the genre jumped to the 16 bits without even touching one Z80 computer.

Mouse control wasn't planed on the 1987 release, after all that was the precise time when the device was being introduced. But also because in the C64 memory didn't remain space to put the needed mouse driver.  

Later in 2009, a C64 enthusiast nicked enthusi made an attempt to put mouse control on the C64 game.

But the best is: to do it he reverse engineered completely the game. First he removed the special disc format, and then he carefully placed all the found data on a NeoRam-GeoRam cartridge image. He explains the process on his release instructions. A pity he didn't free the code obtained.

The special game image can be downloaded from here. I have installed the ViceC64 emulator, as it supports the NeoRam-GeoRam cartridge emulation, and it works flawlessly. Once the image is loaded it must be launched with  SYS 57000 or SYS 57E3. He has added mouse control, some extras and has fixed the flagrant errors found, but the game works exactly the same.

As you already know, this game is based on a script language and parser named SCUMM, this first time version 0. The subsequent versions up to 2 where made for the other computers conversions, removing the "C64 only" characteristics on Maniac Mansion(like SID music, side scroll, hardware sprites or graphic modes) to make SCUMM more portable. Later on, new games added more and more characteristics to SCUMM, up to version 8.

The NeoRam-GeoRam cartridge is a Ram expansion, but the NeoRam version has a battery to maintain the memory content. It works paginating 16Kb segments like the Enterprise memory. I have peeked the image with an Hex editor, and all the information is there completely accessible without protections. Probably even the SID songs can be easily extracted and converted.
« Last Edit: 2017.October.22. 02:22:35 by gflorez »

Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows 7/Server 2008 R2 Windows 7/Server 2008 R2
  • Browser:
  • Firefox 56.0 Firefox 56.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #1 on: 2017.October.23. 00:19:51 »
I have found a disassembly of the Maniac Mansion script here. It is not the code of the program, much better, the rules that govern its behaviour.

It even has several maps of the game:

19279-0

 


Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows 7/Server 2008 R2 Windows 7/Server 2008 R2
  • Browser:
  • Firefox 56.0 Firefox 56.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #2 on: 2017.October.24. 02:52:56 »
The scripts seem to match the real content of the NeoRam image:



Observe: 40h            cutscene()
             6001h         cursorCommand(kModeKeypad)
             0C01h         loadSound(1)
             5301h         lockSound(1)
             0C3Ah         loadSound(58)
             533Ah         lockSound(58)
             ..........etc.

Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows 7/Server 2008 R2 Windows 7/Server 2008 R2
  • Browser:
  • Firefox 56.0 Firefox 56.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #3 on: 2017.October.26. 02:49:36 »
Now I have found the entry point of the NeoRam image, 00000h at the image is DE00h at the processor's memory:

Code: [Select]
ORG = DE00
DE00   78         SEI
DE01   A2 1A      LDX #$1A
DE03   BD 00 DE   LDA $DE00,X
DE06   8D 00 08   STA $0800
DE09   E8         INX
DE0A   F0 06      BEQ $DE12
DE0C   EE 07 DE   INC $DE07
DE0F   4C 03 DE   JMP $DE03
DE12   A9 00      LDA #$00
DE14   8D 07 DE   STA $DE07
DE17   4C 00 08   JMP $0800
DE1A   A9 00      LDA #$00
DE1C   8D FF DF   STA $DFFF
DE1F   8D FE DF   STA $DFFE
DE22   AD CE DE   LDA $DECE
DE25   85 02      STA $02
DE27   AD 11 D0   LDA $D011
DE2A   29 EF      AND #$EF
DE2C   8D 11 D0   STA $D011
DE2F   AD 91 08   LDA $0891
DE32   8D 93 08   STA $0893
DE35   29 3F      AND #$3F
DE37   8D FE DF   STA $DFFE
DE3A   AD 92 08   LDA $0892
DE3D   0E 93 08   ASL $0893
DE40   2A         ROL A
DE41   0E 93 08   ASL $0893
DE44   2A         ROL A
DE45   8D FF DF   STA $DFFF
DE48   A2 00      LDX #$00
DE4A   BD 00 DE   LDA $DE00,X
DE4D   9D 00 10   STA $1000,X
DE50   E8         INX
DE51   D0 F7      BNE $DE4A
DE53   EE 35 08   INC $0835
DE56   EE 91 08   INC $0891
DE59   D0 03      BNE $DE5E
DE5B   EE 92 08   INC $0892
DE5E   AD 35 08   LDA $0835
DE61   C9 40      CMP #$40
DE63   D0 B5      BNE $DE1A
DE65   4C 00 10   JMP $1000
DE68              .END


But to understand what it does I need to learn some 6510 assembler code, and also how is organised the C64 memory with a NeoRam cartridge.

Offline geco

  • EP addict
  • *
  • Posts: 5088
  • Country: hu
  • OS:
  • Linux Linux
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #4 on: 2017.October.26. 08:43:38 »
The problem is that this is a huge work, the scripts seems to be very useful, but i think it is about 1 year work for 1 person. :(

Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows XP Windows XP
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #5 on: 2017.October.26. 10:30:55 »
Perfect! the kind of absurd and boring knowledge that I like...

Offline geco

  • EP addict
  • *
  • Posts: 5088
  • Country: hu
  • OS:
  • Linux Linux
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #6 on: 2017.October.26. 10:37:32 »
Perfect! the kind of absurd and boring knowledge that I like...
It is not boring, and absurd, and I would like to see Maniac Mansion, and Zak Mckraken on EP even I played only 2-3 times with those games on C64, and I am happy if you start it :)

Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows XP Windows XP
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #7 on: 2017.October.26. 11:43:40 »
I can map and disassemble all zones of the cartridge image, but at the end "somebody" has to overtake the information and convert the game.

Zak Mckraken is version 1 of SCUMM. It is out of my intentions now, but knowing how Maniac Mansion(MM from now on) works will make easier to understand the evolution.

I want to create a new thread for this named "Mapping and disassembling C64's Maniac Mansion".

Online Zozosoft

  • EP addict
  • *
  • Posts: 13081
  • Country: hu
  • OS:
  • Windows XP Windows XP
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
    • http://enterprise.iko.hu/
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #8 on: 2017.October.26. 12:08:32 »
I want to create a new thread for this named "Mapping and disassembling C64's Maniac Mansion".
Done!

Offline geco

  • EP addict
  • *
  • Posts: 5088
  • Country: hu
  • OS:
  • Linux Linux
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re:Mapping and disassembling C64's Maniac Mansion
« Reply #9 on: 2017.October.26. 13:06:08 »
I want to create a new thread for this named "Mapping and disassembling C64's Maniac Mansion".
We can try :)

Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows XP Windows XP
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re: Mapping and disassembling C64's Maniac Mansion
« Reply #10 on: 2017.October.29. 20:43:53 »
Ok, chapter one.

First of all I have to explain a little how the GeoRam-NeoRam cartridge works. It takes advantage of a little zone in the C64 memory map used for I/O with interface extensions, from DE00h to DFFFh. The cartridge implements a 256b window  on DE00h-DEFFh to read/write the extra memory. To select the visible 256b area two memory registers are provided, DFFFh to select the 16kb block and DFFEh to select the 256b page inside the 16kb block.

A typical cartridge has 512k of memory inside, but can grow up to 4M, i.e. DFFFh will contain from 0 to 31 or up to 255. On the other side DFFEh will hold 0 to 63, the number of possible 256b pages on a 16k block. Both registers are write-only, so the values have to be maintained on the program's variable zone.

------------

Launcher: just at block 0, page 0, there is a little launcher that copies a loader on main memory. The game can be started with SYS 57000, SYS 57E3 OR SYS DE00(I don't know why all the possibilities).

Code: [Select]
DE00   78         SEI ;disable interrupt
DE01   A2 1A      LDX #$1A ;load index register X inmediate with 1Ah

DE03   BD 00 DE   LDA $DE00,X        ;load A absolute indexed with X, (base address $DE00+X)
DE06   8D 00 08   STA $0800 ;store A absolute on ($0800)
DE09   E8         INX ;increment X
DE0A   F0 06      BEQ $DE12 ;branch if 0 so, copy from $DE1A to $DEFF
DE0C   EE 07 DE   INC $DE07 ;automodified code increments byte at $DE07
DE0F   4C 03 DE   JMP $DE03 ;loop ;jump to absolute address

DE12   A9 00      LDA #$00 ;ld A inmediate with $00
DE14   8D 07 DE   STA $DE07 ;automodified code restores a $00 byte at $DE07
DE17   4C 00 08   JMP $0800 ;jump to the copied code at $0800

This copies the following 230b chunk from the 256b window to 0800h in main memory and then jumps at it.

Loader:

Code: [Select]
0800   A9 00      LDA #$00 ;ld A inmediate with $00
0802   8D FF DF   STA $DFFF ;selects NeoRam 16k block 0
0805   8D FE DF   STA $DFFE ;selects NeoRam 256b page 0
0808   AD CE DE   LDA $DECE ; still unknown
080B   85 02      STA $02 ;this address is left unused on stock configuration
080D   AD 11 D0   LDA $D011 ;Screen control register #1
0810   29 EF      AND #$EF ;11101111b  Bit #4: 0 = Screen off
0812   8D 11 D0   STA $D011 ;Screen control register #1
0815   AD 91 08   LDA $0891 ;middle byte address of NeoRam ?
0818   8D 93 08   STA $0893 ;store intermediary value
081B   29 3F      AND #$3F ;00111111b    0 to 63 256b pages
081D   8D FE DF   STA $DFFE ;selects NeoRam 256b page
0820   AD 92 08   LDA $0892 ;high byte address of NeoRam ?
0823   0E 93 08   ASL $0893 ;\
0826   2A         ROL A ; \ take two higher bits of the intermediary byte and
0827   0E 93 08   ASL $0893 ; / put them on the two lower bits of the accumulator
082A   2A         ROL A ;/  
082B   8D FF DF   STA $DFFF ;selects NeoRam 16k block
082E   A2 00      LDX #$00

0830   BD 00 DE   LDA $DE00,X        ;\ transfer 256bytes chunks always from the $DE00-$DEFF
0833   9D 00 10   STA $1000,X        ; \ cartridge window, to $1000-$3FFF the code starts
0836   E8         INX ; /   at  $60C00-$63BFF on the cartridge memory always 16kb
0837   D0 F7      BNE $0830 ;/ block 18h, 24d, and 256b pages from 0Ch-3Bh, 12d-59d

0839   EE 35 08   INC $0835 ; this increases 256b the destination pointer
083C   EE 91 08   INC $0891 ; this increases the page on the cartridge pointer
083F   D0 03      BNE $0844 ; end of pages on the 16kb block
0841   EE 92 08   INC $0892 ;next 16kb block

0844   AD 35 08   LDA $0835 ;
0847   C9 40      CMP #$40 ;check if end of count
0849   D0 B5      BNE $0800 ;loop

084B   4C 00 10   JMP $1000 ;start the game

084E to 088D:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

088E   4C 00 DE   JMP $DE00
0891   0C        
0892   06
0893   00

0894 to 08B2:
65 6E 74 68 75 73 69 20 6F 66 20 6F 6E 73 6C 61
75 67 68 74 20 20 20 6F 70 74 69 6F 6E 73 3A
"enthusi of onslaught   options:"
08B3   7C
08B4   00        
08B5   00        
08B6   7C        
08B7 to 08E5:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Basically what it does is to load a contiguous zone from the cartridge to main memory at 1000h. This is very good news, because then I can take directly the chunk from the cartridge image and disassembly it externally of WinVice, the emulator and de-bugger I am using.
« Last Edit: 2017.November.01. 22:19:06 by gflorez »

Offline geco

  • EP addict
  • *
  • Posts: 5088
  • Country: hu
  • OS:
  • Linux Linux
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re: Mapping and disassembling C64's Maniac Mansion
« Reply #11 on: 2017.October.29. 21:06:02 »
Cool :)
Do you use ICU64, or infiltrator disassembler?
I downloaded them in this weekend, seems to be useful.

Online gflorez

  • EP addict
  • *
  • Posts: 2380
  • Country: es
  • OS:
  • Windows XP Windows XP
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re: Mapping and disassembling C64's Maniac Mansion
« Reply #12 on: 2017.October.29. 21:11:19 »
Being little chunks I have used an online disassembler: masswerk.

But from now on I will need one installed. Thanks for the advice.

Offline geco

  • EP addict
  • *
  • Posts: 5088
  • Country: hu
  • OS:
  • Linux Linux
  • Browser:
  • Firefox 52.0 Firefox 52.0
    • View Profile
Re: Mapping and disassembling C64's Maniac Mansion
« Reply #13 on: 2017.October.29. 21:14:55 »
Being little chunks I have used an online disassembler: masswerk.

But from now on I will need one installed. Thanks for the advice.
I would suggest both of them, ICU works on the fly, the other works on snapshots.